Power utility Eskom is beefing up security on its online vending system (OVS), which was recently compromised by insiders.
The system was exploited to generate and distribute fraudulent prepaid electricity tokens, revealing critical vulnerabilities in both the physical and cyber security components of the utility’s prepaid electricity infrastructure.
In a statement issued yesterday, the state-owned company says it continues to take decisive action following the disclosure in its full-year 2024 financial results, released in December 2024, of a forensic report detailing the breach of the system.
In its financial results, the utility in December said its cyber risk assessment procedures and IT audit specialists concluded that a material breakdown of internal controls within the prepaid IT ecosystem had occurred.
Significant control deficiencies identified included inappropriate user access controls, dated systems with a lack of available data logs, inadequate backup procedures, and limited understanding by Eskom staff of the prepaid environment, including hardware and relevant systems.
It said the significant control deficiencies have resulted in an inability to determine the full extent of illicit prepaid tokens created.
Eskom says in response, it undertook a comprehensive review and intervention strategy aimed at mitigating these vulnerabilities and restoring system integrity.
“We uncovered weaknesses in physical and cyber security components on our OVS system,” says Monde Bala, Eskom group executive for distribution.
“Earlier this year, Eskom successfully strengthened the protection of its current systems against potential threats,” says Eskom chief technology and information officer Len De Villiers.
“All system enhancements are managed through a robust change management process that spans all divisions, ensuring consistent oversight and control. These measures are part of Eskom’s ongoing commitment to safeguarding operations and addressing identified vulnerabilities.”
While the investigation into the OVS system breach continues, Eskom says it has taken several proactive steps to strengthen its systems and restore public confidence.
The utility adds it has made progress in enhancing and protecting its infrastructure, ensuring greater resilience and reliability.
Internal controls to address electricity theft have been implemented, targeting one of the key vulnerabilities exposed by the breach. Measures have also been put in place to safeguard the system by reinforcing physical infrastructure and restricting physical and digital access to critical components, it notes.
Eskom has also enhanced its monitoring capabilities to improve transparency and enable timely reporting of irregularities.
In addition, the utility says it is working closely with law enforcement agencies to support the ongoing investigations and ensure accountability.
As part of this effort, internal employees who have been implicated have been placed on precautionary suspension, pending further review.
To better manage risks and secure operations, Eskom has augmented its in-house capabilities by engaging an external IT firm. System upgrades are being coordinated through a structured change management process, ensuring minimal disruption and maximum security.
Regular reporting to the Eskom board has continued throughout the remediation process, with the board maintaining oversight of all developments. Furthermore, Eskom has accelerated the acquisition of a new, secure vending system to replace the compromised OVS, with the goal of preventing similar incidents in the future.
“We are fully aware of the challenges that have emerged within the OVS environment and we have taken clear steps to address them,” says Eskom group chief executive Dan Marokane.
“Our focus is on restoring trust, strengthening our systems, and ensuring our customers can rely on a secure and efficient service. This is not just a technical fix, it is part of a broader commitment to transparency, operational excellence and accountability.”
While Eskom continues with its investigation, in conjunction with law enforcement agencies, the findings will only be shared once the process is complete and the appropriate time for disclosure has been determined, it notes.
“As Eskom strengthens its systems and governance, it calls on stakeholders and its customers to remain vigilant and report any suspicious activity related to prepaid electricity tokens,” it concludes.
Share